«

Dear programmers,

I would like to ask you if there is any way how to compare certificate
against cacerts file.
I have already loaded certificate in keystore like:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
String filename = System.getProperty("java.home")+"/lib/security/
cacerts".replace('/', File.separatorChar);
System.out.println(filename);
FileInputStream in = new FileInputStream(filename);
BufferedInputStream bis = new BufferedInputStream(in);
KeyStore keystore =
KeyStore.getInstance(KeyStore.getDefaultType());
String pwd = "changeit";
keystore.load(in, pwd.toCharArray());

Is there any way how to validate certificate in TrustManager.
My TrustManager is:
System.out.println("Initialization of Trust Manager");
trustManager = new TrustManager[] {
new X509TrustManager()
{
//X509TrustManager sunJSSEX509TrustManager;
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {
System.out.println("InitializeTrustManager:
getAcceptedIssuers:");
//return
sunJSSEX509TrustManager.getAcceptedIssuers();
return null;
}

public void
checkClientTrusted( java.security.cert.X509Certificate[] certs, String
authType)
{
for(int j=0;j<certs.length;j++)
{
System.out.println("initializeTrustmanager:
checkClientTrusted:" + certs[j] + " authTyp:" + authType);
System.out.println(" Subject DN:
"+certs[j].getSubjectDN());
System.out.println(" Issuer DN:
"+certs[j].getIssuerDN());
System.out.println(" Serial number:
"+certs[j].getSerialNumber());

}
}

public void checkServerTrusted
( java.security.cert.X509Certificate[] certs, String authType) throws
java.security.cert.CertificateException {
for(int i=0;i<certs.length;i++)
{
X509Certificate x509Certificate = certs[i];
System.out.println("InitializeTrustManager:
checkServerTrusted:" +
x509Certificate.getIssuerX500Principal().getName() +"AuthTyp:" +
authType);
System.out.println("InitializeTrustManager:
checkServerTrusted:" + x509Certificate.getIssuerDN());

}

}
public boolean isClientTrusted(X509Certificate[] arg0)
throws CertificateException
{
System.out.println("InitializeTrustManager:
isClientTrusted: ");
return true;
}
public boolean isServerTrusted(X509Certificate[] arg0)
throws CertificateException
{
for(int i=0;i<arg0.length;i++)
{
System.out.println("InitializeTrustManager:
isServerTrusted: "+ arg0[i].getIssuerDN());
}
//TODO
return true;
}
}
};


Thank you in advance
Petr

On 16/09/2011 08:50, Stone allegedly wrote:
> Dear programmers,
>
> I would like to ask you if there is any way how to compare certificate
> against cacerts file.
> I have already loaded certificate in keystore like:
>
> <snip />

Funny you should want to validate against the cacerts file in an
X509TrustManager, for, if I'm not mistaken, that is precisely what the
default TrustManager does. You might want to look for its source code
online (for instance here:
<http://www.docjar.com/docs/api/sun/security/ssl/package-index.html>).

Anyway, the task isn't complicated, although the code is somewhat
convoluted. You'll have to establish a chain (of certificates) from the
certificate you're trying to validate to one of the root certificates in
the trust store.

A quick search turned up this guide:
<http://download.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html>

--
DF.
Determinism trumps correctness.